012b7be96be0d30ed45f40421750db504c2fdddf0eebffea4170dfd7f1107254

Analysis

max time kernel
150s
max time network
118s
platform
windows10_x64
resource
win10v20210410
submitted
16-04-2021 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

136KB
MD5

a77a5e80020273ff0f6eea3990c76cb6
SHA1

8eefea2d1bb7d93037976429340793c1bcce0d84
SHA256

3d0041832e8b6f5b95cb33d286c24c53ccc9341549589ae8822c6084e8d2aa5c
SHA512

ab296892cb314914c9c04a37441a2f9a41cf5b5e1eafdaee6b576338f2be9501170587eb13bdbb715cf0d79e3beef0f57e3e472b187c51196e1d2d38a3be2cb6

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Setup1.exemdac_typ.exeacmsetup.exe

pid process

192 Setup1.exe
2336 mdac_typ.exe
3744 acmsetup.exe
Drops startup file 1 IoCs

Processes:

setup.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ST6UNST Uninstaller.LNK setup.exe

pid	process
192	Setup1.exe
2336	mdac_typ.exe
3744	acmsetup.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ST6UNST Uninstaller.LNK	setup.exe

Loads dropped DLL 14 IoCs

Processes:

setup.exeSetup1.exeacmsetup.exeodbcconf.exe

pid	process
3616	setup.exe
192	Setup1.exe
3744	acmsetup.exe
3744	acmsetup.exe
3744	acmsetup.exe
3744	acmsetup.exe
3744	acmsetup.exe
3744	acmsetup.exe
3744	acmsetup.exe
3744	acmsetup.exe
3744	acmsetup.exe
3744	acmsetup.exe
3744	acmsetup.exe
3700	odbcconf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mdac_typ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	mdac_typ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mdac_typ.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

setup16.exe

description	ioc	process
File opened (read-only)	\??\Y:	setup16.exe
File opened (read-only)	\??\T:	setup16.exe
File opened (read-only)	\??\R:	setup16.exe
File opened (read-only)	\??\F:	setup16.exe
File opened (read-only)	\??\X:	setup16.exe
File opened (read-only)	\??\L:	setup16.exe
File opened (read-only)	\??\J:	setup16.exe
File opened (read-only)	\??\I:	setup16.exe
File opened (read-only)	\??\E:	setup16.exe
File opened (read-only)	\??\W:	setup16.exe
File opened (read-only)	\??\U:	setup16.exe
File opened (read-only)	\??\M:	setup16.exe
File opened (read-only)	\??\K:	setup16.exe
File opened (read-only)	\??\G:	setup16.exe
File opened (read-only)	\??\N:	setup16.exe
File opened (read-only)	\??\H:	setup16.exe
File opened (read-only)	\??\Z:	setup16.exe
File opened (read-only)	\??\V:	setup16.exe
File opened (read-only)	\??\S:	setup16.exe
File opened (read-only)	\??\Q:	setup16.exe
File opened (read-only)	\??\P:	setup16.exe
File opened (read-only)	\??\O:	setup16.exe

Drops file in System32 directory 64 IoCs

Processes:

setup.exeacmsetup.exeSetup1.exe

description	ioc	process
File opened for modification	C:\WINDOWS\SysWOW64\expsrv.dll	setup.exe
File created	C:\Windows\SysWOW64\DBNMPNTW.DLL	acmsetup.exe
File created	C:\Windows\SysWOW64\VFPODBC.TXT	acmsetup.exe
File created	C:\Windows\SysWOW64\DRVVFP.CNT	acmsetup.exe
File created	C:\Windows\SysWOW64\temp.000	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\msrd3x40.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\msjter40.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\u2dpost.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\p2bxbse.dll	Setup1.exe
File created	C:\Windows\SysWOW64\INSTCAT.SQL	acmsetup.exe
File created	C:\Windows\SysWOW64\ODBCTL32.DLL	acmsetup.exe
File created	C:\Windows\SysWOW64\ODBCJET.CNT	acmsetup.exe
File opened for modification	C:\Windows\SysWOW64\u2frec.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\u2dvim.dll	Setup1.exe
File created	C:\Windows\SysWOW64\ODBC32GT.DLL	acmsetup.exe
File opened for modification	C:\Windows\SysWOW64\msjtes40.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\mswstr10.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\p2soledb.dll	Setup1.exe
File created	C:\Windows\SysWOW64\MsOracle32Readme.txt	acmsetup.exe
File created	C:\Windows\SysWOW64\DRVVFP.HLP	acmsetup.exe
File opened for modification	C:\Windows\SysWOW64\msrepl40.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\expsrv.dll	Setup1.exe
File created	C:\Windows\SysWOW64\temp.001	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\crtslv.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\u2fxls.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\p2sora7.dll	Setup1.exe
File opened for modification	C:\WINDOWS\SysWOW64\vbajet32.dll	setup.exe
File created	C:\Windows\SysWOW64\MSRD2X35.DLL	acmsetup.exe
File created	C:\Windows\SysWOW64\MSTEXT35.DLL	acmsetup.exe
File opened for modification	C:\Windows\SysWOW64\u2fodbc.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\u2fcr.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\p2bdao.dll	Setup1.exe
File created	C:\Windows\SysWOW64\DS16GT.DLL	acmsetup.exe
File opened for modification	C:\Windows\SysWOW64\DBNMPNTW.DLL	acmsetup.exe
File created	C:\Windows\SysWOW64\MSJINT35.DLL	acmsetup.exe
File opened for modification	C:\Windows\SysWOW64\VB5DB.DLL	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\msjet40.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\crxf_pdf.dll	Setup1.exe
File created	C:\Windows\SysWOW64\DS32GT.DLL	acmsetup.exe
File created	C:\Windows\SysWOW64\ODBCCP32.CPL	acmsetup.exe
File created	C:\Windows\SysWOW64\ODBC16GT.DLL	acmsetup.exe
File created	C:\Windows\SysWOW64\SQLSODBC.HLP	acmsetup.exe
File created	C:\Windows\SysWOW64\DBMSSHRN.DLL	acmsetup.exe
File created	C:\Windows\SysWOW64\MSEXCH35.DLL	acmsetup.exe
File opened for modification	C:\Windows\SysWOW64\u2dapp.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\u2ddisk.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\p2ssyb10.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\p2ssql.dll	Setup1.exe
File created	C:\Windows\SysWOW64\ODBCINST.HLP	acmsetup.exe
File created	C:\Windows\SysWOW64\MSORCL32.HLP	acmsetup.exe
File created	C:\Windows\SysWOW64\VFPODBC.DLL	acmsetup.exe
File opened for modification	C:\Windows\SysWOW64\u2fwordw.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\u2dmapi.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\p2sodbc.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\P2bbnd.dll	Setup1.exe
File created	C:\Windows\SysWOW64\ODBCINST.CNT	acmsetup.exe
File created	C:\Windows\SysWOW64\DBMSSOCN.DLL	acmsetup.exe
File created	C:\Windows\SysWOW64\WINDBVER.EXE	acmsetup.exe
File created	C:\Windows\SysWOW64\MSPDOX35.DLL	acmsetup.exe
File opened for modification	C:\Windows\SysWOW64\u252000.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\p2sifmx.dll	Setup1.exe
File opened for modification	C:\Windows\SysWOW64\u2lcom.dll	Setup1.exe
File created	C:\Windows\SysWOW64\ta03744	acmsetup.exe
File created	C:\Windows\SysWOW64\MSJTER35.DLL	acmsetup.exe

Drops file in Program Files directory 29 IoCs

Processes:

acmsetup.exeSetup1.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\System\MSADC\HANDLER.REG	acmsetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll	Setup1.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\MSDASC.CNT	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\SQLSOLDB.HLP	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\SQLOLEDB.TXT	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\ADO\ADOAPT15.REG	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\ADO\MAKFRE15.BAT	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\MSDAERR.DLL	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\MSOrclOLEDBreadme.txt	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\JoltReadme.txt	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\MSADC\MDAC11.CAB	acmsetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\OLE DB\sqloledb.dll	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\ADO\ADOreadme.txt	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\MSADC\MSADCFR.DLL	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\MSADC\MDAC20_A.CAB	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\ADO\MAKAPT15.BAT	acmsetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\OLE DB\msdasc.dll	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\MSDATL2.DLL	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\OLEDB32X.DLL	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\SQLOLEDB.DLL	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\MSDASC.HLP	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\ADO\ADOFRE15.REG	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\MSADC\MSADCF.DLL	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\MSADC\MSADCS.DLL	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\MSDASC.TXT	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\MSDASQLreadme.txt	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\OLE DB\MSJTOR35.DLL	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\MSADC\HANDLER.SRG	acmsetup.exe
File created	C:\Program Files (x86)\Common Files\System\MSADC\MDAC20.CAB	acmsetup.exe

Drops file in Windows directory 11 IoCs

Processes:

setup.exeSetup1.exeacmsetup.exe

description	ioc	process
File created	C:\WINDOWS\SETUP.LST	setup.exe
File created	C:\WINDOWS\Resultados.CAB	setup.exe
File opened for modification	C:\WINDOWS\Resultados.CAB	setup.exe
File created	C:\WINDOWS\temp.000	setup.exe
File created	C:\WINDOWS\Setup1.exe	setup.exe
File created	C:\WINDOWS\ST6UNST.000	setup.exe
File opened for modification	C:\WINDOWS\ST6UNST.000	setup.exe
File opened for modification	C:\WINDOWS\st6unst.exe	setup.exe
File opened for modification	C:\WINDOWS\Setup1.exe	setup.exe
File opened for modification	C:\WINDOWS\ST6UNST.000	Setup1.exe
File created	C:\Windows\MSDFMAP.INI	acmsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

setup.exesetup16.exeacmsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\ = "DataObject"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib\Version = "6.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C1-4442-11D1-8906-00A0C9110049}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C1-4442-11D1-8906-00A0C9110049}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MS Setup (ACME)	setup16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}\TypeLib\Version = "6.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MS Setup (ACME)\Bootstrapper\Exit Level\ = "7"	acmsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\WINDOWS\\SysWow64\\msvbvm60.dll\\3"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\ = "LicenseInfo"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\ = "_DClass"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MS Setup (ACME)\Bootstrapper	setup16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\ = "EventInfo"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C1-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\ = "PropertyBag_VB5"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7500A6BA-EB65-11D1-938D-0000F87557C9}\ = "DataBinding"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib\Version = "6.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ = "C:\\WINDOWS\\SysWow64\\msvbvm60.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\foobar	acmsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}\ = "_PropertyBag"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\ = "ContainedControls"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{737361EC-467F-11D1-810F-0000F87557AA}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{737361EC-467F-11D1-810F-0000F87557AA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}\TypeLib\Version = "6.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F0-7697-11D1-A1E9-00A0C90F2731}\TypeLib\Version = "6.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}\ = "_DPersistableDataSourceClass"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\TypeLib\Version = "6.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F0-7697-11D1-A1E9-00A0C90F2731}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\TypeLib\Version = "6.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C4-4442-11D1-8906-00A0C9110049}\TypeLib	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Setup1.exe

pid process

192 Setup1.exe

pid	process
192	Setup1.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

setup.exeSetup1.exemdac_typ.exesetup16.exeacmsetup.exe

description	pid	process	target process
PID 3616 wrote to memory of 192	3616	setup.exe	Setup1.exe
PID 3616 wrote to memory of 192	3616	setup.exe	Setup1.exe
PID 3616 wrote to memory of 192	3616	setup.exe	Setup1.exe
PID 192 wrote to memory of 2336	192	Setup1.exe	mdac_typ.exe
PID 192 wrote to memory of 2336	192	Setup1.exe	mdac_typ.exe
PID 192 wrote to memory of 2336	192	Setup1.exe	mdac_typ.exe
PID 2336 wrote to memory of 1368	2336	mdac_typ.exe	setup16.exe
PID 2336 wrote to memory of 1368	2336	mdac_typ.exe	setup16.exe
PID 2336 wrote to memory of 1368	2336	mdac_typ.exe	setup16.exe
PID 1368 wrote to memory of 3744	1368	setup16.exe	acmsetup.exe
PID 1368 wrote to memory of 3744	1368	setup16.exe	acmsetup.exe
PID 1368 wrote to memory of 3744	1368	setup16.exe	acmsetup.exe
PID 3744 wrote to memory of 4052	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 4052	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 4052	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 2212	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 2212	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 2212	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 3084	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 3084	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 3084	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 500	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 500	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 500	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 3088	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 3088	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 3088	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 4060	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 4060	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 4060	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 3700	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 3700	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 3700	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 2072	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 2072	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 2072	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 204	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 204	3744	acmsetup.exe	odbcconf.exe
PID 3744 wrote to memory of 204	3744	acmsetup.exe	odbcconf.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616

C:\WINDOWS\Setup1.exe
C:\WINDOWS\Setup1.exe "C:\Users\Admin\AppData\Local\Temp\" "C:\WINDOWS\ST6UNST.000" "C:\WINDOWS\st6unst.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:192

C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\mdac_typ.exe
C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\mdac_typ.exe /q:a /c:"setup.exe /QN1"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\setup16.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe -m "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe" /QN1
4⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368

C:\~MSSETUP.T\~mdac.t\acmsetup.exe
C:\~MSSETUP.T\~mdac.t\acmsetup /t mdac_typ.stf /S C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ /QN1
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe REGSVR "C:\Program Files (x86)\Common Files\System\OLE DB\msdaer.dll"
6⤵
PID:4052

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe REGSVR "C:\Program Files (x86)\Common Files\System\OLE DB\msdadc.dll"
6⤵
PID:2212

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe REGSVR "C:\Program Files (x86)\Common Files\System\OLE DB\msdasql.dll"
6⤵
PID:3084

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe REGSVR "C:\Program Files (x86)\Common Files\System\OLE DB\msdatt.dll"
6⤵
PID:500

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe REGSVR "C:\Program Files (x86)\Common Files\System\OLE DB\msdaenum.dll"
6⤵
PID:3088

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe REGSVR "C:\Program Files (x86)\Common Files\System\OLE DB\msdaosp.dll"
6⤵
PID:4060

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe REGSVR "C:\Program Files (x86)\Common Files\System\OLE DB\oledb32x.dll"
6⤵
- Loads dropped DLL
PID:3700

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe REGSVR "C:\Program Files (x86)\Common Files\System\OLE DB\oledb32.dll"
6⤵
PID:2072

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe REGSVR "C:\Windows\system32\oleaut32.dll"
6⤵
PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS16GT.DLL

MD5
dfd86da777c3201db0dd2658bd47b611

SHA1
f0d9c7c9ab49e5c852938faae047dc2fa9fc5f9b

SHA256
7567ab26a540076afb0f390687e2308f7af00abe04dfad92256cbb4a72096d91

SHA512
9cc24a2bc6ead1f6582b3814ea4e471d94e36e84a06cf4a1af303d1021e24f5abc7d384493c0736a6cb3d05a573d50106165620be207e65b38fda4091ce9278d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS32GT.DLL

MD5
985346aa9c2f85a5a83840946a73bf35

SHA1
479020ced141fd3222a855ab68da0ad84262af63

SHA256
4715096f7f79f69bcf5af09ea7336df55ddae23c490233134520e9446b0d6e5c

SHA512
87c44205bf6bbe576d351f34b5056c34e331471c48ffb35f55b02dc3d2df3d380c256c911cee73ea12205b29aa052ebb8b2cc2b18c3bf8e81b00943aaddd98ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HANDLER.SRG

MD5
9affddc9de4ba7f5385ccc2801b52ade

SHA1
15de16c5d5cc4af98b7d33a4950cf9c0380a57a3

SHA256
82954440bf5bf4dd63c4301e6587d98cc816fb94f2e8c4d88bce2ff55d859ec1

SHA512
995a3ac82e418866dce4e971b322c9004d2f7722a2b93d5503a0fc87b4791721687881c16c17f256b743ec78591482c35f0495936a0fdc2c3bd8a22469737848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSDAERR.DLL

MD5
07e2e145909feb3b023b838fa26e12bf

SHA1
fcaf3d2c0951909e9248773c2f3648c3fafe6227

SHA256
d011dddff51a30a0544d4e604aa30336aeb70eb492ef37a2c6c248eae3f57ddb

SHA512
8180d210e450b42b3c4f5f51f732e0459b1eb3f39f8f235a7c9e5411989f13e5e6c6507293d625cdd48b1c5f0feef1bba01ce1a4b2904342a78fbf89da7871f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSDASQ~1.TXT

MD5
f3ec48f09917e66d8ac156f11d60bced

SHA1
cc4e9695b6de7acf41fbc8c986c6ad53d47f299a

SHA256
cd052c66ee5312e060572212aaa01a3d062d81fe366246e728ad514d0c8c6f40

SHA512
8738e3f0ca1c5c14512a4415b72ca2809563f9bfda64cd3436154dd1133043a2f5852deaa48c6018d02dba33687c7186a17b8b94d0bf841a1bb55ce114c45a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSDATL2.DLL

MD5
8a2fceeda760946f2bd967219c5aa8d5

SHA1
0d2cbd9fe754f4926f9eafe0e5ca055a26f49b73

SHA256
fa151e1e1ac0031e8b072b252d05f39d640a6e02dbc93c3fd9c56a8099b3af93

SHA512
d9093afb73be90066d1892025ae79ec0b029ed7975e75db09ee3c7e2bf485da1a25de6b8940e88bdb9d487afd9cb166e12946484aeb6d0158610fd480f51ac15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODBC16GT.DLL

MD5
c7ae3056763301fc7739c9688e37b949

SHA1
3172da2018e6bd182b3c1cd414116a03fc32909c

SHA256
a533ef223fe760d23bfc35c1a4c5b06a3cc6b9017d0ab8c7dc2411c516456312

SHA512
8df565e1b03069e3bc469d53bea4c0f2a60446b13f5e2de445acfcf994d08ad84ee656c4b560fc61fec228588c3f2748fbaf97495a39977fb77e8047e76ab08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODBC32GT.DLL

MD5
72cabe25717588a948b5791a0bc57562

SHA1
027eefe6e173b744198417c2132a13d1ae2855e1

SHA256
178dd04ccc8dcc32936a751a594bcd94bb138bea700da4a33d398a1ad3b2f2e4

SHA512
3b707dddd003c0877599e24d31671e28022aaf79db3b1b67bf58368df6da92e28af6b7647acae8e6d00dae58995f199b13bcfbe66696d3f4a029c14085fe8a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ODBCCP32.CPL

MD5
c89cf352ddf1bfdec092e8befa0925b3

SHA1
8dc5593c09bb7a0829e629e1ae3e9bd48ddb0138

SHA256
f099c625b535a365884225509294a3a118d58e35030bb51360182285e09b9a33

SHA512
1068bff60010265a58c4293e1811994bdb44ef24daacd34efb7d613c13965b0fcd7651f1a481691dfdfadc4a5fd49c9cfff7499eb27752328e924aa3bf7682a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SelfReg.dll

MD5
a88346c7d3c20df8ee796012330b6fc2

SHA1
d0c1593845a67e760aa0ffb2b3c391e295f10f45

SHA256
8878e1e600abeb4bd7324a8435f8ffcaea438743bdc9e0da154bdcf8ecc879a3

SHA512
1a5ba18969dd1067b0c2dfebb84f09f121698c7290e5a5ccabb1c82aaeffa567f25947243a66d3584516791aee33f066651f044e5de6dfcd73bcdb82f866853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\acmsetup.exe

MD5
9b658a7e2ce494d53e79392ed7400f68

SHA1
78ce8f8bb29268ca096b3a4b8b5a983b5cfe24e1

SHA256
65ec6d4ffef9bca6883943ab44b28033f2abf1646cf49b3ae3aeb8bb699f3af2

SHA512
9fe33ad422ef66b1c6f2cb66a51acfad6410960795aa52653c9f6b2d8ba62200321d49890890a6ceca2b961a9bde234e8217029a741525130f775b62db7c9159

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\acmsetup.hlp

MD5
73c25ae0c1769d5f9224c42918b1e02c

SHA1
83e8a696e68afdb91de5068fa1b4006a81c47ab4

SHA256
bb01707fe351952e3719fafa3361642b81069733e6ce83b06b78ddc779eaaea8

SHA512
49e969711a06c4f8f42ff0992d0fb51e3c57acce4f2d3d02cd2a51a4147ac7360b54233c0036d6f148001fdf599cdf176fbdc111f3096edf05d7b8e275d1cc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\common98.dll

MD5
2afc512e9c0b08f6e68f64c14e2ac604

SHA1
41b90f7d06550b9f2502ed8b32534a38a7687c11

SHA256
2dbc87859812b6b6984cab01814a662fec2cc69560e8c1969abe58cc0d0d957d

SHA512
a6a2c6324626d3d6d5b89fbee6fa7ec5793f4b297f9ff8b63bd6603a5cdde6c961636afff99522979c75a9375463e2ea128bda3e40225204f3a4d314f0a9fc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mdac_typ.inf

MD5
bb3291b2addc51860d724e44460a50ba

SHA1
58055cc8a1f8aef5e075ee34b943ef4d8c30c08b

SHA256
63c50edecc6d5c1df94fbc9ccb0c88b8e8486be77681196e7b61c4b3afacd75c

SHA512
02b7df2a8f1f450dce8dfa91792bbf3e8d96138c945057971e7da3e9edf37658b0d8ddd735a423cce008a9c626fa3011cbdb17437086a699d88ab52f9bfc44f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mdac_typ.stf

MD5
04779a4e3826b45173c9a36576d51a81

SHA1
4981a701128a15a87a2c4a70f73fa25ba253738a

SHA256
ed001bf50f66901c40a01326405638185a8604caa045bb0fef8402bfdb59bbb1

SHA512
9eb6db77c4328222f8fd37f3f4e9821ac9e7c54c6104485ae2c8453132b83fa04adb7c9502b62afb7808f55c1548edf9270928ac3470b38120a83da973f5d88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdasc.dll

MD5
b7bacd398e382b3e5998bb2053625563

SHA1
21fd13e22f06ffa87d373e131973738fafc8502e

SHA256
666781754d3365d1d7ce632bf2fe67bc803ccdc754a5013471dcb9e73c7815df

SHA512
16894a80add250edb205ac2b414cc632b49b24a26e06acf8f186eed0794e619ce3d8c02d8f056b5c47b26ef7de4dbce327df4fce95f4b25e449da3649d40776d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mssetup.dll

MD5
d5d072540f69cdcae1ddec6f116ea65a

SHA1
0e105e6968d868ba23b13d9eb1e83a34c2015aea

SHA256
b9b3abb404481d98b0cb8ec3dd728f12a3f2505d4cc7e4c59e8509abfa694710

SHA512
64748600aa32181d7ce5ad82238bc84606931275aff58858578fd9bc5c01fa7809c095195939c3811e91362f2470abeebccd93ed7921bd3342f7fe13a96fac66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvcrt.dll

MD5
779c065d6bf4b0d5c3f7edbb4248b84c

SHA1
12607c24cc7faf12e66de07163dd591f46473880

SHA256
3ef37b982dc58b12f72c978e0bdc19f6af74fd2a582818788d422b6914c0698d

SHA512
8b1ad291e6eca82cd3d63637ad14d6f5a1a27566c3ed59cced7591134719acd25f15865ac06e4c17d0d0cac546bdbfcc082ac6bf79da3ef898a3a2018cd98b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\odbccp32.dll

MD5
08f4182e94ea4cd41ff12ecf8ef83556

SHA1
17baed3cfe30d4cf41e01167ca67c88e7f22b30d

SHA256
aca13860b6a02749fe42e0f8cd856787065688071a27a7fb78cbba445a22c435

SHA512
1d5daf32a08bf3f15737582a33ec879d8b7b8eb4c5333a360c80de2b76580582a0bc4871b09c23e0a0bbe8fca46ab735599338029af5f37e9e23c4b183b641c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\odbcinst.cnt

MD5
c750112871fc7d6a37b9db626d2acce4

SHA1
ae5d8fc99ee00698cdd853d096aaf46db7801306

SHA256
13c8f2c4daade76c7e4ad4a4352d46fce89abd06857f2c76347945eb230ea387

SHA512
f05875b3cf2890a083480373ee15ec468b5d2df7385aedf0eb73e8c15551550738fbfeaf51875aaf80534c90a3dff08bd1fe6c31eb478b922d2cf010bab892e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\odbcinst.hlp

MD5
933be9555b1ba4abf3ac8956511e0ed2

SHA1
0fd746bbc8465cae825f50e84139c3444fb9e2b6

SHA256
6eaf180fd595d8e572da8c1739d0f231ee462951cd73b84e575082f905e5b50b

SHA512
4f51166976617322c4c91a80668931b515c68e3732e1c6deb2acd44c34dcb13fd99e0f865448900b6bc35d2bc6a983a252dff7228177c53f4ba159eef51ad421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\odbcint.dll

MD5
6c58ec355ade4b1d14d59560b8e57c5e

SHA1
b8a3cdadd63c1857903b78af2b33dfd8ebdb8572

SHA256
f595054f3a56c87559e384a3ee942821768a49e78ed093221cb6badc022551e9

SHA512
7f56c48e34e1c984eed6ac06eee25e714a4aa93f08a3b5b5a45f8af729e167f6f60bbdd6b27763ee858e90d78de01058736f2ed7bb2465ca9cb2ee1f728cf58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\odbckey.inf

MD5
8a167d44d02c33aa5d8e52716e2c38cf

SHA1
792a2dcba28f5a9cbc1611e79ad1d594ad39ff7c

SHA256
f765a7227d81020b1c69359fe014ca941db5390660513f0070f27e3259aad716

SHA512
c28b024aedc28c706d2217c39354bfbc45d3071e783719d514c7c5db42bd8f3528ce4d9484c656b208be615eeadbb9de144bb9f87265a1c237fdaae2490e3310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\odbcstf.dll

MD5
9e68f82c086bfcec7468e276cd257367

SHA1
6ad8c341ae909676e68285e23aa3c4742820ea38

SHA256
220dce873eb69e71935bf53068f7e33a44cf500c87106631eb5aca448fc61a2e

SHA512
4bcddc1f5aa90fdf97bb635fed9699cf2249e36cca8b18a3961e472dff58c956898863677686cfeaef26156f6af704256a420ded585ccffdf30b2b0a3e7e6470

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qfeupd.exe

MD5
b6873acd87663d9e22725670911b586b

SHA1
f146352286dfd8145a9d5064ad81b499ec523f2f

SHA256
5cc36ea73ca05fe2b5784332b6452ec4b1625905059e973072c62cdaf503f2c4

SHA512
66e66b07039a447907bc9a7d7d08a903bc58a204a32f1c37d95dc48bb37ce180127fa46249cd4a2b4c3759a4423e5f1ed11c9e77369754c182812c3199c366a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.LST

MD5
dd74ecbc7334882c5042861d747c45d9

SHA1
936f8bd60ccdf3af7f8b656feb2b12502152dbd4

SHA256
660a977edbfafbb2e706d5a9854839bd6b335295489a0550767a948ee1358243

SHA512
64ef77f1bbc1e16c630082771f36d1dfb8e6c38b725ab31c961d7a6c1da67993bc23d32180937ec1bdaba8df8307c0b67a2ca9f64d68b084a13a5e016401ebd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

MD5
eafa2804a87078afc643f8148dd8ec78

SHA1
5480542cf7b3bc18735044116acc6a341734ae71

SHA256
e40a42fafeb4d353f54aa766714577a14956c063450058cb70d48b41f5739063

SHA512
50fffecff1dd81bf7d851b38c809f3a20a4c224e80954fdbe53bca6e92d96ed1f8aa542cd22eea57f4ed1a8533f3fb9de500dd6d1f0a071529fd9587d7c07ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.ini

MD5
6822179556122e9bbca69d177e24ca36

SHA1
2669511fb9f2373546b45680b46b59c29bece8f3

SHA256
194250402400908a1051115b5a05d18473d0f8f8e9dfffdb10b23b583987b765

SHA512
439893a10338d77f8b1f0302034894a699d50c25500405350e717cb9a24c08efeb5d0a5367ae07d64cb2e66e8b8419b80429206b244243a0d0b3f4f65072013b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.tdf

MD5
0bc2472ec42a4fc4742c817b121a0c57

SHA1
7328477a9f2311d9e4d72e1ea261031fbb19fc92

SHA256
0879e69ee425d61731589b4331358d20248c58362dd636f84b5a513f0aa4bd81

SHA512
cccfad839371a41e8ca65e57165beb55059580cdfc8abb4b73e60823ca95473783aff6e02997b6a506ff6ebb5eaff86737e9db19fc4cbe06574f9224f04d7376

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf16.dll

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf32.dll

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\mdac_typ.exe

MD5
eb58dba7f3fc9d8ba0d486d8e08b60e5

SHA1
05ac649932a05297cdbba554f5d3349bb5beac36

SHA256
dc14f8710e7281a5e1722edb53fa397e29405e9e2be8afa17716aad9b1c13782

SHA512
738d2c1badb587aa81e732685aacfa4f32cc8ae8ad2f5bdcb9b896000d6c24a8bbbe987b7f28e8526bbef4b2d8cdf6ff5af52083bbcbfcc3a4a2a58890d5de5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msftqws.pdw\mdac_typ.exe

MD5
eb58dba7f3fc9d8ba0d486d8e08b60e5

SHA1
05ac649932a05297cdbba554f5d3349bb5beac36

SHA256
dc14f8710e7281a5e1722edb53fa397e29405e9e2be8afa17716aad9b1c13782

SHA512
738d2c1badb587aa81e732685aacfa4f32cc8ae8ad2f5bdcb9b896000d6c24a8bbbe987b7f28e8526bbef4b2d8cdf6ff5af52083bbcbfcc3a4a2a58890d5de5e

Download Submit
C:\WINDOWS\ST6UNST.000

MD5
700ab18cee1aa14dc00549b98fb09d30

SHA1
e427107e4d870e1ccf9949539fd3f3b97da059ee

SHA256
224fa542c363699548830cdc6a12017bd0298ab18b4c4cbc9e25621f9734d3a4

SHA512
f41d51512d7383a031f3dae22afd776881f1e6132e0bafa5ea0d76a0c3d895de4edc279b085c7c7ee8f9613127b0dee110b43dce9561aef78645a3c53aba5c7a

Download Submit
C:\WINDOWS\Setup1.exe

MD5
c6264b17629f6f9f0bd2ba7671ceff69

SHA1
67a6b419740c1d6b780789bffcfcc83129e36d1b

SHA256
5b82b27da9bbaae1abc32095942c60017b275e002cbb2c0cb44580131f4789b4

SHA512
7ebab7444620146a065b520491faea53612d627ae85dfb4bd92201864e5cdad55fe5c94ae66a8c7a3bf7950a60c54c20b9291a70f3801e937711f1b596543f1d

Download Submit
C:\WINDOWS\st6unst.exe

MD5
ea4e2ba0d35eeadee23b0c1397c71367

SHA1
e715ddf7c568a745e7990534f06460556e20b3ed

SHA256
dafb5d89135fa565080c9c6beafbdeb7611089e946a520001a7ef02facb002d3

SHA512
64b1521c1d03683479f41f27b5a4feb4a703b70f8db45080d74d14ac1747c8fbd393adfba3b8c96748f8bc6a4bfbce00d12c44ebc1bb7285d5cf7528f5c7ab86

Download Submit
C:\Windows\Resultados.CAB

MD5
9237b40bbe7f5c9e102d9890ba8edbed

SHA1
2b72a84de8e44ec8c8a5c004df81a83bb78ac728

SHA256
18a13f653abe57328ea9680e15f7622d8f7eff53938fa1d89111cd9ff8b1af11

SHA512
a1ba8fcf8a0a4976795b70d6ef414b2ab0c8aab2f98bc656fd08da38692039580fb3085d2c94cd5d62eb33a884ab0c56e87460f91ff7ab3d11c19bb621ccbee1

Download Submit
C:\Windows\SETUP.LST

MD5
5d9e791e91ce9c6c2511e1e57d6c113d

SHA1
e78f275fe1410687a98bc6c095ec6f6fd164717a

SHA256
df50fef0f7f1e95ddf8740cad52914709d61b36e462f0d2b3c0b0790a0a501a0

SHA512
25c18c99bf91088b2db6bb7685884b1f8aed4a8636514a132ddce2193639ab1f3627912eabd5473234dcd5b4147379add27759ccea2d78318f7bbde44d8b24f2

Download Submit
C:\Windows\Setup1.exe

MD5
c6264b17629f6f9f0bd2ba7671ceff69

SHA1
67a6b419740c1d6b780789bffcfcc83129e36d1b

SHA256
5b82b27da9bbaae1abc32095942c60017b275e002cbb2c0cb44580131f4789b4

SHA512
7ebab7444620146a065b520491faea53612d627ae85dfb4bd92201864e5cdad55fe5c94ae66a8c7a3bf7950a60c54c20b9291a70f3801e937711f1b596543f1d

Download Submit
C:\Windows\SysWOW64\vb6stkit.dll

MD5
cff867572b44212b01b711c1fa009537

SHA1
3978c9f7a3d77c0bdff4353949e2143757eebc79

SHA256
df6e2f111773adec3b33dcb0b31e2a4d21ef7d51740706335f411e2c999c0e6b

SHA512
1b77ef24b1efb4939e4625deb1f8ebccc3c2edbb49b412dadb8a3c293a265c77ea84d8eb725d3af5bb84d9c040a91debe5890f57ed8750147e91f30c1a0630c4

Download Submit
C:\~MSSETUP.T\~mdac.t\COMMON98.DLL

MD5
2afc512e9c0b08f6e68f64c14e2ac604

SHA1
41b90f7d06550b9f2502ed8b32534a38a7687c11

SHA256
2dbc87859812b6b6984cab01814a662fec2cc69560e8c1969abe58cc0d0d957d

SHA512
a6a2c6324626d3d6d5b89fbee6fa7ec5793f4b297f9ff8b63bd6603a5cdde6c961636afff99522979c75a9375463e2ea128bda3e40225204f3a4d314f0a9fc5a

Download Submit
C:\~MSSETUP.T\~mdac.t\MSSETUP.dll

MD5
d5d072540f69cdcae1ddec6f116ea65a

SHA1
0e105e6968d868ba23b13d9eb1e83a34c2015aea

SHA256
b9b3abb404481d98b0cb8ec3dd728f12a3f2505d4cc7e4c59e8509abfa694710

SHA512
64748600aa32181d7ce5ad82238bc84606931275aff58858578fd9bc5c01fa7809c095195939c3811e91362f2470abeebccd93ed7921bd3342f7fe13a96fac66

Download Submit
C:\~MSSETUP.T\~mdac.t\acmsetup.exe

MD5
9b658a7e2ce494d53e79392ed7400f68

SHA1
78ce8f8bb29268ca096b3a4b8b5a983b5cfe24e1

SHA256
65ec6d4ffef9bca6883943ab44b28033f2abf1646cf49b3ae3aeb8bb699f3af2

SHA512
9fe33ad422ef66b1c6f2cb66a51acfad6410960795aa52653c9f6b2d8ba62200321d49890890a6ceca2b961a9bde234e8217029a741525130f775b62db7c9159

Download Submit
C:\~MSSETUP.T\~mdac.t\acmsetup.exe

MD5
9b658a7e2ce494d53e79392ed7400f68

SHA1
78ce8f8bb29268ca096b3a4b8b5a983b5cfe24e1

SHA256
65ec6d4ffef9bca6883943ab44b28033f2abf1646cf49b3ae3aeb8bb699f3af2

SHA512
9fe33ad422ef66b1c6f2cb66a51acfad6410960795aa52653c9f6b2d8ba62200321d49890890a6ceca2b961a9bde234e8217029a741525130f775b62db7c9159

Download Submit
C:\~MSSETUP.T\~mdac.t\mdac_typ.inf

MD5
bb3291b2addc51860d724e44460a50ba

SHA1
58055cc8a1f8aef5e075ee34b943ef4d8c30c08b

SHA256
63c50edecc6d5c1df94fbc9ccb0c88b8e8486be77681196e7b61c4b3afacd75c

SHA512
02b7df2a8f1f450dce8dfa91792bbf3e8d96138c945057971e7da3e9edf37658b0d8ddd735a423cce008a9c626fa3011cbdb17437086a699d88ab52f9bfc44f9

Download Submit
C:\~MSSETUP.T\~mdac.t\mdac_typ.stf

MD5
04779a4e3826b45173c9a36576d51a81

SHA1
4981a701128a15a87a2c4a70f73fa25ba253738a

SHA256
ed001bf50f66901c40a01326405638185a8604caa045bb0fef8402bfdb59bbb1

SHA512
9eb6db77c4328222f8fd37f3f4e9821ac9e7c54c6104485ae2c8453132b83fa04adb7c9502b62afb7808f55c1548edf9270928ac3470b38120a83da973f5d88f

Download Submit
C:\~MSSETUP.T\~mdac.t\odbccp32.dll

MD5
08f4182e94ea4cd41ff12ecf8ef83556

SHA1
17baed3cfe30d4cf41e01167ca67c88e7f22b30d

SHA256
aca13860b6a02749fe42e0f8cd856787065688071a27a7fb78cbba445a22c435

SHA512
1d5daf32a08bf3f15737582a33ec879d8b7b8eb4c5333a360c80de2b76580582a0bc4871b09c23e0a0bbe8fca46ab735599338029af5f37e9e23c4b183b641c8

Download Submit
C:\~MSSETUP.T\~mdac.t\odbcint.dll

MD5
6c58ec355ade4b1d14d59560b8e57c5e

SHA1
b8a3cdadd63c1857903b78af2b33dfd8ebdb8572

SHA256
f595054f3a56c87559e384a3ee942821768a49e78ed093221cb6badc022551e9

SHA512
7f56c48e34e1c984eed6ac06eee25e714a4aa93f08a3b5b5a45f8af729e167f6f60bbdd6b27763ee858e90d78de01058736f2ed7bb2465ca9cb2ee1f728cf58d

Download Submit
C:\~MSSETUP.T\~mdac.t\odbckey.inf

MD5
8a167d44d02c33aa5d8e52716e2c38cf

SHA1
792a2dcba28f5a9cbc1611e79ad1d594ad39ff7c

SHA256
f765a7227d81020b1c69359fe014ca941db5390660513f0070f27e3259aad716

SHA512
c28b024aedc28c706d2217c39354bfbc45d3071e783719d514c7c5db42bd8f3528ce4d9484c656b208be615eeadbb9de144bb9f87265a1c237fdaae2490e3310

Download Submit
C:\~MSSETUP.T\~mdac.t\odbcstf.dll

MD5
9e68f82c086bfcec7468e276cd257367

SHA1
6ad8c341ae909676e68285e23aa3c4742820ea38

SHA256
220dce873eb69e71935bf53068f7e33a44cf500c87106631eb5aca448fc61a2e

SHA512
4bcddc1f5aa90fdf97bb635fed9699cf2249e36cca8b18a3961e472dff58c956898863677686cfeaef26156f6af704256a420ded585ccffdf30b2b0a3e7e6470

Download Submit
\Windows\SysWOW64\VB6STKIT.DLL

MD5
cff867572b44212b01b711c1fa009537

SHA1
3978c9f7a3d77c0bdff4353949e2143757eebc79

SHA256
df6e2f111773adec3b33dcb0b31e2a4d21ef7d51740706335f411e2c999c0e6b

SHA512
1b77ef24b1efb4939e4625deb1f8ebccc3c2edbb49b412dadb8a3c293a265c77ea84d8eb725d3af5bb84d9c040a91debe5890f57ed8750147e91f30c1a0630c4

Download Submit
\Windows\SysWOW64\VB6STKIT.DLL

MD5
cff867572b44212b01b711c1fa009537

SHA1
3978c9f7a3d77c0bdff4353949e2143757eebc79

SHA256
df6e2f111773adec3b33dcb0b31e2a4d21ef7d51740706335f411e2c999c0e6b

SHA512
1b77ef24b1efb4939e4625deb1f8ebccc3c2edbb49b412dadb8a3c293a265c77ea84d8eb725d3af5bb84d9c040a91debe5890f57ed8750147e91f30c1a0630c4

Download Submit
\~MSSETUP.T\~mdac.t\common98.dll

MD5
2afc512e9c0b08f6e68f64c14e2ac604

SHA1
41b90f7d06550b9f2502ed8b32534a38a7687c11

SHA256
2dbc87859812b6b6984cab01814a662fec2cc69560e8c1969abe58cc0d0d957d

SHA512
a6a2c6324626d3d6d5b89fbee6fa7ec5793f4b297f9ff8b63bd6603a5cdde6c961636afff99522979c75a9375463e2ea128bda3e40225204f3a4d314f0a9fc5a

Download Submit
\~MSSETUP.T\~mdac.t\common98.dll

MD5
2afc512e9c0b08f6e68f64c14e2ac604

SHA1
41b90f7d06550b9f2502ed8b32534a38a7687c11

SHA256
2dbc87859812b6b6984cab01814a662fec2cc69560e8c1969abe58cc0d0d957d

SHA512
a6a2c6324626d3d6d5b89fbee6fa7ec5793f4b297f9ff8b63bd6603a5cdde6c961636afff99522979c75a9375463e2ea128bda3e40225204f3a4d314f0a9fc5a

Download Submit
\~MSSETUP.T\~mdac.t\common98.dll

MD5
2afc512e9c0b08f6e68f64c14e2ac604

SHA1
41b90f7d06550b9f2502ed8b32534a38a7687c11

SHA256
2dbc87859812b6b6984cab01814a662fec2cc69560e8c1969abe58cc0d0d957d

SHA512
a6a2c6324626d3d6d5b89fbee6fa7ec5793f4b297f9ff8b63bd6603a5cdde6c961636afff99522979c75a9375463e2ea128bda3e40225204f3a4d314f0a9fc5a

Download Submit
\~MSSETUP.T\~mdac.t\common98.dll

MD5
2afc512e9c0b08f6e68f64c14e2ac604

SHA1
41b90f7d06550b9f2502ed8b32534a38a7687c11

SHA256
2dbc87859812b6b6984cab01814a662fec2cc69560e8c1969abe58cc0d0d957d

SHA512
a6a2c6324626d3d6d5b89fbee6fa7ec5793f4b297f9ff8b63bd6603a5cdde6c961636afff99522979c75a9375463e2ea128bda3e40225204f3a4d314f0a9fc5a

Download Submit
\~MSSETUP.T\~mdac.t\mssetup.dll

MD5
d5d072540f69cdcae1ddec6f116ea65a

SHA1
0e105e6968d868ba23b13d9eb1e83a34c2015aea

SHA256
b9b3abb404481d98b0cb8ec3dd728f12a3f2505d4cc7e4c59e8509abfa694710

SHA512
64748600aa32181d7ce5ad82238bc84606931275aff58858578fd9bc5c01fa7809c095195939c3811e91362f2470abeebccd93ed7921bd3342f7fe13a96fac66

Download Submit
\~MSSETUP.T\~mdac.t\odbccp32.dll

MD5
08f4182e94ea4cd41ff12ecf8ef83556

SHA1
17baed3cfe30d4cf41e01167ca67c88e7f22b30d

SHA256
aca13860b6a02749fe42e0f8cd856787065688071a27a7fb78cbba445a22c435

SHA512
1d5daf32a08bf3f15737582a33ec879d8b7b8eb4c5333a360c80de2b76580582a0bc4871b09c23e0a0bbe8fca46ab735599338029af5f37e9e23c4b183b641c8

Download Submit
\~MSSETUP.T\~mdac.t\odbcint.dll

MD5
6c58ec355ade4b1d14d59560b8e57c5e

SHA1
b8a3cdadd63c1857903b78af2b33dfd8ebdb8572

SHA256
f595054f3a56c87559e384a3ee942821768a49e78ed093221cb6badc022551e9

SHA512
7f56c48e34e1c984eed6ac06eee25e714a4aa93f08a3b5b5a45f8af729e167f6f60bbdd6b27763ee858e90d78de01058736f2ed7bb2465ca9cb2ee1f728cf58d

Download Submit
\~MSSETUP.T\~mdac.t\odbcstf.dll

MD5
9e68f82c086bfcec7468e276cd257367

SHA1
6ad8c341ae909676e68285e23aa3c4742820ea38

SHA256
220dce873eb69e71935bf53068f7e33a44cf500c87106631eb5aca448fc61a2e

SHA512
4bcddc1f5aa90fdf97bb635fed9699cf2249e36cca8b18a3961e472dff58c956898863677686cfeaef26156f6af704256a420ded585ccffdf30b2b0a3e7e6470

Download Submit
\~MSSETUP.T\~mdac.t\odbcstf.dll

MD5
9e68f82c086bfcec7468e276cd257367

SHA1
6ad8c341ae909676e68285e23aa3c4742820ea38

SHA256
220dce873eb69e71935bf53068f7e33a44cf500c87106631eb5aca448fc61a2e

SHA512
4bcddc1f5aa90fdf97bb635fed9699cf2249e36cca8b18a3961e472dff58c956898863677686cfeaef26156f6af704256a420ded585ccffdf30b2b0a3e7e6470

Download Submit
\~MSSETUP.T\~mdac.t\odbcstf.dll

MD5
9e68f82c086bfcec7468e276cd257367

SHA1
6ad8c341ae909676e68285e23aa3c4742820ea38

SHA256
220dce873eb69e71935bf53068f7e33a44cf500c87106631eb5aca448fc61a2e

SHA512
4bcddc1f5aa90fdf97bb635fed9699cf2249e36cca8b18a3961e472dff58c956898863677686cfeaef26156f6af704256a420ded585ccffdf30b2b0a3e7e6470

Download Submit
\~MSSETUP.T\~mdac.t\odbcstf.dll

MD5
9e68f82c086bfcec7468e276cd257367

SHA1
6ad8c341ae909676e68285e23aa3c4742820ea38

SHA256
220dce873eb69e71935bf53068f7e33a44cf500c87106631eb5aca448fc61a2e

SHA512
4bcddc1f5aa90fdf97bb635fed9699cf2249e36cca8b18a3961e472dff58c956898863677686cfeaef26156f6af704256a420ded585ccffdf30b2b0a3e7e6470

Download Submit
memory/192-115-0x0000000000000000-mapping.dmp

Download
memory/204-196-0x0000000000000000-mapping.dmp

Download
memory/500-191-0x0000000000000000-mapping.dmp

Download
memory/1368-129-0x0000000000000000-mapping.dmp

Download
memory/2072-195-0x0000000000000000-mapping.dmp

Download
memory/2212-189-0x0000000000000000-mapping.dmp

Download
memory/2336-126-0x0000000000000000-mapping.dmp

Download
memory/3084-190-0x0000000000000000-mapping.dmp

Download
memory/3088-192-0x0000000000000000-mapping.dmp

Download
memory/3700-194-0x0000000000000000-mapping.dmp

Download
memory/3744-164-0x00000000023C1000-0x00000000023C4000-memory.dmp

Filesize
12KB

Download
memory/3744-154-0x0000000000000000-mapping.dmp

Download
memory/3744-171-0x00000000023D0000-0x0000000002402000-memory.dmp

Filesize
200KB

Download
memory/4052-188-0x0000000000000000-mapping.dmp

Download
memory/4060-193-0x0000000000000000-mapping.dmp

Download